State-sponsored cyber spies target business secrets

Suspected State-sponsored malware

FF_1520x855-data21 FF_1520x855-data22 FF_1520x855-data23 FF_1520x855-data24

1. Stuxnet

Computer worm discovered in June 2010, designed to disrupt machinery, such as those in nuclear power plants, by attacking industrial programmable logic controllers.

2. Duqu

Thought to be related to the Stuxnet worm and discovered in 2011, Duqu hunts for information that could be used in attacking industrial control systems.

3. Flame

Discovered in May 2012, Flame is designed to carry out cyber espionage by stealing computer display contents, files, data and even audio conversations.

4. Gauss

Discovered in August 2012, Gauss is designed to monitor online banking accounts by stealing browser history, cookies, passwords and system configurations.

Compromised records

The global Breach Level Index, to be published next week by Gemalto, reveals the number of state-sponsored cyber attacks accounted for just 2 per cent of data breach incidents during the first six months of 2015. However, the number of records compromised as a result of those attacks amounted to 42 per cent of the total.

Further, while none of the top-ten breaches from the first half of 2014 were thought to be state sponsored, three in 2015 were. These included the top two breaches at Anthem Insurance and the US Office of Personnel Management.

State-sponsored attacks were the second highest source of data records loss, with 102.4 million, behind malicious outsiders responsible for 112 million,” says Jason Hart, chief technology officer for data protection at Gemalto.

Perhaps the biggest danger for any business, no matter which sector it operates in, is thinking its data isn’t sensitive enough to be of any interest

The days of such attacks being targeted purely at government organisations also seem to be over. According to threat forensics specialist FireEye, during the first six months of 2015 there have been considerably more state-sponsored cyber attacks on the private sector (87 per cent) compared with the public sector (13 per cent). The common link between all such attacks is the sensitive nature of the data targeted.

Sensitive data

Nick Coleman, the global head of cyber security intelligence services with IBM and a former national reviewer of cyber security for the UK government, explains that all sensitive information “has an economic value and can be sold as a commodity whether it’s health records, credit card information or intellectual property”.

The motive behind these attacks, therefore, will fall into one of three groupings: commercial (simple profit motive); strategic (disruption to infrastructure and brand reputation for economic or competitive advantage); and image related (propaganda value of brand damage).

Perhaps the biggest danger for any business, no matter which sector it operates in, is thinking its data isn’t sensitive enough to be of any interest. “Companies such as HR outsourcers are seen as a stepping-stone for an attack on more critical targets,” warns Klaus Kursawe, chief scientist at the European Network of Cyber Security.

Since the intelligence community now embraces the concept of big data, there is also a tendency to collect as much stolen data as possible and mine it for usable insights. Then there’s the possible advantage of inflicting collateral damage through an attack on the private sector to consider.

“A targeted attack against the finance industry could not only cause significant disruption to the economy, but also stoke civil unrest if it affects enough of the domestic population,” says Chris McIntosh, chief executive of security and communications company ViaSat UK and a retired lieutenant colonel in the Royal Signals.

Indeed, Colonel McIntosh argues that cyber is increasingly the first weapon of choice in low-level conflict as it’s relatively cheap and very effective. The same arguments come into play when you consider why state-sponsored cyber attacks against organisations are now becoming so commonplace, with the added factor of also being relatively low risk.

Cyber weapons

“Since a cyber attack is essentially anonymous or at any rate very hard to attribute,” he explains, “it’s easy for countries to publicly deny responsibility for attacks while secretly sanctioning them through state-sponsored groups.”

Two thirds of all attacks comprising cyber espionage over the past two years have featured phishing attacks, which usually combine social engineering tactics with malware

Colonel Cedric Leighton, former deputy director for training at the National Security Agency, where he oversaw the training of America’s  so-called cyber warriors, adds that you shouldn’t underestimate the influence of economic competitive advantage in this uptake of state-sponsored attacks.

“If these countries can develop a product without the sunk R&D costs a Western company would have, then they can offer it to the marketplace at a cheaper price,” he says. “That allows a country like China to continue its economic miracle for a bit longer.”

So we know what is being done and why, but that still leaves the question how does this differ from “traditional” cyber crime? The answer is, surprisingly, not much at all. Verizon’s Data Breach Investigations Report series reveals that two thirds of all attacks comprising cyber espionage over the past two years have featured phishing attacks, which usually combine social engineering tactics with malware.

However, state-sponsored attackers are typically more patient than other threat actors. “They don’t mind working slowly on their target until they are able to gain their trust and successfully install malware on their machine,” says Laurance Dine, managing principal at the Verizon Investigative Response Unit. “This slow and steady approach differentiates state-sponsored attackers.”

It’s a fallacy to think that zero-days are used in every state-sponsored attack, and actors will often use much the same criminal methodologies of targeted phishing e-mails and known exploits because they are so generic as not to be easily attributable to any specific group or nation state.

Indeed, Paul Pratley, who is head of investigations and incident response at MWR InfoSecurity, thinks that “only when a company is highly mature in its security posture, is a high-value target and generic attacks fail, will they [the attackers] resort to using costly zero-day malware developed internally”.

Steps to take

Which just leaves us to ponder what can the average organisation do to detect and deal with state-sponsored attacks? Guillaume Lovet, threat response manager at enterprise security provider Fortinet, puts forward a three-point plan:

1. Make reconnaissance and replication (the identification and reproduction of your defence system) difficult by having complex, hidden, layered and varied defence systems.

2. Limit the attack surface for the initial infection vectors by having up-to-date systems which force an attacker to use less common and more costly zero-day exploits. The attack surface also usually involves people, so employee education is key.

3. Limit the propagation and persistence of the initial attack by having well-segmented networks and meaningful policies. For example, an accountant’s desktop should not have access to the company’s software codebase.

Security lapse let China in


In late-2014, a Japanese manufacturing company covering everything from automotive production lines to micro-electronics assembly and with European operations centred in the UK was the target of a suspected state-sponsored attack.

The incident consisted of malicious e-mails containing malware that appeared to have been sent from two long-standing and trusted UK employees to chief design engineers and executives in Japan.

The e-mails used social engineering techniques, based on company product information, to entice the recipients to open and execute a malicious attachment. This contained a remote administration tool or RAT which called back to a Chinese IP address and had resulted in two infected systems that ultimately led to design schematics and advanced earnings reports being stolen.

Following the breach, impacts to the company were felt in stock price variations and over the longer term the company expects further lost earnings potential as design secrets are incorporated into competitor lines. It is likely that because strategic intellectual property had been stolen, the company will have to significantly alter future lines to ensure they remain competitive.

The malicious e-mails had bypassed normal security scanning as they were internal communications, yet the employees concerned had not sent them. MWR InfoSecurity determined that a fake malicious wi-fi access point had been operating near the company’s stand at a British trade show, and this intercepted requests to the company domain and then redirected them to a fake Outlook web access page. From there, the user credentials were stolen as they logged on to their e-mail and later used to conduct the internal targeted attack. The company carried out a thorough investigation to ensure attackers were extracted.

It was determined that the damages in this case were linked to Chinese interests and source indicators were linked to Chinese infrastructure. Since the incident, the company has implemented two-factor e-mail authentication and conducted user-awareness training to help identify malicious redirection of user traffic in the future.